How does Okta work when an Active Directory account is disabled? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmtlqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Brian WingBrian Wing 

How does Okta work when an Active Directory account is disabled?

I need to understand the mechanism for how OKTA handles an AD account once it has been disabled.

If a user had an active OKTA session, would they be logged out?  Would they still be able to access accounts they had provisioned in their OKTA page?
 

How quickly does OKTA recognize that an AD account has been locked/disabled?

Marc JohnstonMarc Johnston (Okta, Inc.)
Hi Brian,

If the user still has an active session the session will remain active even when the user is deactivated in Okta. You would need to go to the user in Okta and 'Clear User Sessions'. Deactivating a user will also remove any app assignments in Okta. So all apps will be removed from their Okta page.

When you deactivate a user in AD that change needs to be brought into Okta through an import. Imports can either be scheduled (hourly/daily) on a regular basis or run manually. If you run the import manually it can be run right after you disable the user in AD.
Brian WingBrian Wing
Hi Marc
Thanks for the reply.  I heard differently and now I'm confused, here's an excerpt from an email I've had going back and forth with a professional services consultant from OKTA, who's correct?

Hi Brian,
 
In both scenarios, the AD agent communicates to Okta using long polling method. AD agent establishes a connection wit Okta for 30 seconds. During the 30s, AD will push any updates or receive any requests from Okta for delegate authentication. 
 
Scenario 1 from below:  AD account is disabled by IT, user tries to log in but an Okta sync hasn’t happened since the account being disabled. What is the conversation between OKTA and AD when authentication is attempted?
 
Let us assume that IT has disabled the user on AD side, but sync has not happened with Okta. User tries to connect to Okta with AD credentials, when the long polling from AD agent establishes the connection with Okta, Okta will delegate the authentication to AD for that user. AD checks the user against AD status and sends a negative status to Okta and Okta will send a sign in failed to the user. 
 
Scenario 2 from below:  Same situation IT disables the AD account, what is the conversation between OKTA and AD?
 
Similar to above scenario, user is logged in and IT disables the AD account. the moment the account is disabled during the next connection that is established during the long polling will expire the Okta session and log the user out of Okta immediately.
 
Hope this helps, please do let me know if you need more details. 
 
Thanks and Regards,
Madhu Ramanujam,
Technical Consultant, Professional Services | Okta, Inc.